Analysis Overview
SHA256
8bd5a7eafd012d57bc62ca67641e4c452c65ac427b8189ffec5a125f1f2c9f67
Threat Level: Known bad
The file e35861d845057356fd7c600cf895bb0a_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
Executes dropped EXE
Loads dropped DLL
UPX packed file
Adds Run key to start application
Drops file in Program Files directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 21:39
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 21:39
Reported
2024-04-06 21:42
Platform
win7-20240221-en
Max time kernel
146s
Max time network
126s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Common Files\System\rtproc32.exe = "C:\\Program Files (x86)\\Common Files\\System\\rtproc32.exe:*:Enabled:Microsoft Runtime Process for Win32 Services" | C:\Program Files (x86)\Common Files\System\rtproc32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\System\rtproc32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Runtime Process for Win32 Services = "C:\\Program Files (x86)\\Common Files\\System\\rtproc32.exe" | C:\Program Files (x86)\Common Files\System\rtproc32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\System | C:\Program Files (x86)\Common Files\System\rtproc32.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\rtproc32.exe | C:\Program Files (x86)\Common Files\System\rtproc32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\rtproc32.exe | C:\Program Files (x86)\Common Files\System\rtproc32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System | C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\rtproc32.exe | C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\rtproc32.exe | C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2784 wrote to memory of 1992 | N/A | C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe | C:\Program Files (x86)\Common Files\System\rtproc32.exe |
| PID 2784 wrote to memory of 1992 | N/A | C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe | C:\Program Files (x86)\Common Files\System\rtproc32.exe |
| PID 2784 wrote to memory of 1992 | N/A | C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe | C:\Program Files (x86)\Common Files\System\rtproc32.exe |
| PID 2784 wrote to memory of 1992 | N/A | C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe | C:\Program Files (x86)\Common Files\System\rtproc32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe"
C:\Program Files (x86)\Common Files\System\rtproc32.exe
"C:\Program Files (x86)\Common Files\System\rtproc32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
Files
memory/2784-0-0x0000000000400000-0x0000000000421000-memory.dmp
\Program Files (x86)\Common Files\System\rtproc32.exe
| MD5 | e35861d845057356fd7c600cf895bb0a |
| SHA1 | 5119b59327cef622c7bde65d973f6d0bbbfee4d6 |
| SHA256 | 8bd5a7eafd012d57bc62ca67641e4c452c65ac427b8189ffec5a125f1f2c9f67 |
| SHA512 | cbd077c9d6df6f372ce7b623ec92ecdee287914c92e2785c6694f717473172880de1e8e185085d955e071d5260f74d8c3cf4c0b7991067ee0522344c08756499 |
memory/2784-10-0x0000000000290000-0x00000000002B1000-memory.dmp
memory/2784-11-0x0000000000290000-0x00000000002B1000-memory.dmp
memory/1992-12-0x0000000000400000-0x0000000000421000-memory.dmp
memory/2784-13-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1992-15-0x0000000000400000-0x0000000000421000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 21:39
Reported
2024-04-06 21:42
Platform
win10v2004-20240319-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Program Files (x86)\Common Files\System\rtproc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Program Files (x86)\Common Files\System\rtproc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Program Files (x86)\Common Files\System\rtproc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Common Files\System\rtproc32.exe = "C:\\Program Files (x86)\\Common Files\\System\\rtproc32.exe:*:Enabled:Microsoft Runtime Process for Win32 Services" | C:\Program Files (x86)\Common Files\System\rtproc32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\System\rtproc32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Runtime Process for Win32 Services = "C:\\Program Files (x86)\\Common Files\\System\\rtproc32.exe" | C:\Program Files (x86)\Common Files\System\rtproc32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\System\rtproc32.exe | C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System | C:\Program Files (x86)\Common Files\System\rtproc32.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\rtproc32.exe | C:\Program Files (x86)\Common Files\System\rtproc32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\rtproc32.exe | C:\Program Files (x86)\Common Files\System\rtproc32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System | C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\rtproc32.exe | C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4428 wrote to memory of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe | C:\Program Files (x86)\Common Files\System\rtproc32.exe |
| PID 4428 wrote to memory of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe | C:\Program Files (x86)\Common Files\System\rtproc32.exe |
| PID 4428 wrote to memory of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe | C:\Program Files (x86)\Common Files\System\rtproc32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e35861d845057356fd7c600cf895bb0a_JaffaCakes118.exe"
C:\Program Files (x86)\Common Files\System\rtproc32.exe
"C:\Program Files (x86)\Common Files\System\rtproc32.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2232,i,3915538061666887171,15629965885515244134,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| NL | 23.62.61.170:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 170.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| NL | 142.251.39.110:443 | tcp | |
| NL | 172.217.168.202:443 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| NL | 142.251.39.110:443 | tcp | |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
| US | 8.8.8.8:53 | 40.173.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | irc.antisecbrteam.tk | udp |
Files
memory/4428-0-0x0000000000400000-0x0000000000421000-memory.dmp
C:\Program Files (x86)\Common Files\System\rtproc32.exe
| MD5 | e35861d845057356fd7c600cf895bb0a |
| SHA1 | 5119b59327cef622c7bde65d973f6d0bbbfee4d6 |
| SHA256 | 8bd5a7eafd012d57bc62ca67641e4c452c65ac427b8189ffec5a125f1f2c9f67 |
| SHA512 | cbd077c9d6df6f372ce7b623ec92ecdee287914c92e2785c6694f717473172880de1e8e185085d955e071d5260f74d8c3cf4c0b7991067ee0522344c08756499 |
memory/2604-6-0x0000000000400000-0x0000000000421000-memory.dmp
memory/4428-7-0x0000000000400000-0x0000000000421000-memory.dmp
memory/2604-8-0x0000000000400000-0x0000000000421000-memory.dmp